TikTok is back in the privacy spotlight. Not for the first time, the platform has come under fire for how it handles data, and this time, the fine from European regulators is serious. But if we stop at TikTok, we miss the bigger story.

In January 2025, privacy group NOYB filed complaints against several major Chinese tech firms: TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi. The core issue? These companies transferring the personal data of European users to China, where surveillance laws offer little protection. Under the GDPR, that’s not acceptable. Adequate safeguards must be in place, and China currently lacksan EU-approved adequacy decision.

Here’s where it gets interesting: these complaints could reshape how all companies handle international data transfers. And not just to China.

Global enforcement is picking up

Regulators aren’t just looking east. Meta was fined €1.2 billion for sending data to the US. Several European data protection authorities have banned the use of Google Analytics due to similar US data transfers. Microsoft was also pulled up over how EU institutions use its cloud services. The message is clear: if you’re moving data across borders, you must ensure that it remains protected.

And it doesn’t matter whether you’re a global tech giant or a mid-sized company using a handful of overseas tools. If your systems send personal data outside the UK or EU, you're on the hook.

Everyday privacy operations are in the frame

Here’s what this means in real terms for privacy professionals:

• Your SaaS tools matter: If you use cloud-based software hosted outside the EU/UK (or using support teams in other countries), you may be exporting personal data.
• TIAs aren’t optional: After the Schrems II ruling, Transfer Impact Assessments (TIAs) are a regulatory expectation.  You need to understand the legal environment in the country your data is going to.
• Default isn’t compliant: Just having standard contractual clauses in place won’t save you. You must demonstrate that those contractual protections work effectively in practice..
• Training is essential: Broader teams must  understand the risks of using services that transfer data overseas. Shadow IT and marketing tools are big culprits here.

Even companies that don’t consider themselves "international" may be transferring data without realising it. A CRM tool, analytics platform or support chat service might be pushing personal data to the US, India or elsewhere. If you're not mapping your data flows carefully, you're likely flying blind.

What about the UK?

Post-Brexit, the UK has largely mirrored the EU’s data protection rules. The ICO expects companies to perform transfer risk assessments and use its own standard clauses (called IDTAs). There’s also the new UK-US data bridge, which helps ease transfers to some US companies. But the fundamental principle remains: if you're moving personal data abroad, the protection must travel with it.

Don't assume the UK is going soft on enforcement.The ICO’s fine against TikTok in 2023 is a clear sign that regulators have remain active and vigilant.

Lessons for every business

So what can privacy teams take away from all this?

1. Data transfer isn't a niche concern anymore. It’s mainstream. Regulators are watching closely, and it affects tools many of us use daily.
2. It’s not just about China. Yes, NOYB’s complaints focus on Chinese firms, but the same scrutiny is being applied to US providers and even EU-based companies that work with global partners.
3. Paper shields don’t work. Contracts are helpful, but only when backed by real safeguards. Encryption, access controls, and an understanding of local law all matter.
4. Risk-based thinking is key. Regulators expect more than a tick-box exercise. Can you explain and justify your approach? Do you know where your data is going, and what happens to it there?
5. Having a plan matters. If a regulator asked you tomorrow about your international data flows, could you answer confidently? If not, it’s time to act.

How Privacy Culture can help

This is where a partner like Privacy Culture comes in. We help organisations of all sizes navigate international data flows, whether that’s understanding your current exposure, helping with TIAs, or training your teams to spot and manage risk.

We believe in keeping privacy practical. That means giving you the tools and know-how to handle data transfers with confidence, without drowning in legal complexity.

Whether you’re a multinational business or a UK-based organisation using international suppliers, the lesson is the same: data transfers are under the microscope. It's time to bring them into the open and treat them with the attention they deserve.